5 elements of a successful CMaaS program

By Matt Brown

Feb 20, 2014

The current IT landscape has been hit with an unprecedented number of cyberattacks, and the number is only growing. In fact, the number of cyberincidents reported by federal agencies to the U.S. Computer Emergency Readiness Team has increased from 5,503 in fiscal year 2006 to 48,562 in fiscal year 2012, an increase of 782 percent. Unfortunately, defensive cybermeasures alone are no longer enough to ensure networks remain secure. Organizations must set up proactive, automated vulnerability and attack identification that enables personnel to take immediate action to defend against the current threat landscape.

To accelerate the push toward continuous monitoring, the Department of Homeland Security developed a watershed project – the Continuous Diagnostics and Mitigation (CDM) program – to defend the government’s IT network infrastructure from sophisticated and aggressive cyber threats.

The CDM program enables each agency to implement the tools and processes necessary to feed real-time sensor data through their own customized dashboards to get the right information to the right people at the right time.

To meet this goal, agencies must integrate technologies, train personnel, build processes and customize data feeds, using time and resources many simply don’t have. To address these constraints, DHS incorporated a continuous-monitoring-as-a-service (CMaaS) approach into the program, allowing agencies to access the services necessary to design, set up and maintain a continuous monitoring program.

Agencies opting for a CMaaS approach to CDM should first address these five elements:

1. Security-focused goal. To successfully monitor cyber threats, agencies need to know why they are monitoring those threats in the first place. Goals and priorities should remain security focused, not compliance focused. Defining the end goal will help get everyone on the same page, which is particularly important for those whose roles have differing priorities – such as the chief information officer and chief information security officer.

2. Security assessment. An assessment of the capabilities of current security technologies must be performed to understand what portions of continuous monitoring, if any, are currently in place and if there are other capabilities the tools provide that are not being used. This survey helps prevent the common mistake of deploying too many tools to tackle similar problems. Through CMaaS, agencies will be able to identify exactly which technologies they have in place to address each requirement, what else they need and what they can leverage by reconfiguring existing assets.

3. Strategy development. While technology is a large component of continuous monitoring, a successful strategy relies less on technology and more on creating a sustainable governance model. As an agency pursues its strategy, changes will be made to the way security-related decisions are authorized. Agencies must build a program that integrates an ongoing authorization plan that is consistent with the overall objective of continuous monitoring.

4. Procedure evaluation. Agencies should evaluate the existing security processes in place to ensure they continue to comply with federal laws, directives and organizational policies. Updates will need to be made to align policy and processes to enable continuous monitoring and ongoing authorizations.

5. Timeline development. Be realistic about the time it will take to establish continuous monitoring and make the necessary governance changes to ensure this new strategy will be accepted by the entire stakeholder population, not just those within the security office. In building a timeline for continuous monitoring, agencies must work closely with DHS Federal Network Resilience to coordinate their internal changes with the timelines and capabilities acquired through the CDM contract.

By leveraging the full capabilities of CMaaS, an agency will be able to more effectively identify security vulnerabilities and set priorities for remediation actions that make the most impact in reducing overall risk. They will also be able to measure the effectiveness of their program by tracking vulnerability reduction and remediation over time. This provides a powerful return on investment, demonstrating the effectiveness of a continuous monitoring strategy.